Merge pull request #247 from jelmersnoeck/xss-fix-ajax-search

XSS: Escape the input on ajax searches.
forkcms · Mar 1, 2012 · 03e8f5b · 03e8f5b
2 parents f975b42 + 641e27b
commit 03e8f5b
Show file tree

Hide file tree

Showing 4 changed files with 8 additions and 4 deletions.
diff --git a/frontend/modules/search/ajax/autocomplete.php b/frontend/modules/search/ajax/autocomplete.php
@@ -23,7 +23,8 @@ public function execute()
 		parent::execute();
 
 		// get parameters
-		$term = SpoonFilter::getPostValue('term', null, '');
+		$searchTerm = SpoonFilter::getPostValue('term', null, '');
+		$term = (SPOON_CHARSET == 'utf-8') ? SpoonFilter::htmlspecialchars($searchTerm) : SpoonFilter::htmlentities($searchTerm);
 		$limit = (int) FrontendModel::getModuleSetting('search', 'autocomplete_num_items', 10);
 
 		// validate

diff --git a/frontend/modules/search/ajax/autosuggest.php b/frontend/modules/search/ajax/autosuggest.php
@@ -214,7 +214,8 @@ public function parse()
 	private function validateForm()
 	{
 		// set values
-		$this->term = SpoonFilter::getPostValue('term', null, '');
+		$searchTerm = SpoonFilter::getPostValue('term', null, '');
+		$this->term = (SPOON_CHARSET == 'utf-8') ? SpoonFilter::htmlspecialchars($searchTerm) : SpoonFilter::htmlentities($searchTerm);
 		$this->length = (int) SpoonFilter::getPostValue('length', null, 50);
 
 		// validate

diff --git a/frontend/modules/search/ajax/livesuggest.php b/frontend/modules/search/ajax/livesuggest.php
@@ -365,7 +365,8 @@ protected function parsePagination()
 	private function validateForm()
 	{
 		// set search term
-		$this->term = SpoonFilter::getPostValue('term', null, '');
+		$searchTerm = SpoonFilter::getPostValue('term', null, '');
+		$this->term = (SPOON_CHARSET == 'utf-8') ? SpoonFilter::htmlspecialchars($searchTerm) : SpoonFilter::htmlentities($searchTerm);
 
 		// validate
 		if($this->term == '') $this->output(self::BAD_REQUEST, null, 'term-parameter is missing.');

diff --git a/frontend/modules/search/ajax/save.php b/frontend/modules/search/ajax/save.php
@@ -22,7 +22,8 @@ public function execute()
 		parent::execute();
 
 		// get parameters
-		$term = SpoonFilter::getPostValue('term', null, '');
+		$searchTerm = SpoonFilter::getPostValue('term', null, '');
+		$term = (SPOON_CHARSET == 'utf-8') ? SpoonFilter::htmlspecialchars($searchTerm) : SpoonFilter::htmlentities($searchTerm);
 
 		// validate
 		if($term == '') $this->output(self::BAD_REQUEST, null, 'term-parameter is missing.');